Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2078
Views
40
Helpful
21
Replies

ASA 5525 , what exactly is the failover link used for?

Go to solution
jmaxwellUSAF
VIP
VIP

‎01-21-2023 07:31 AM

Hello.

"ciscoasa(config)# failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2"

The above is the Cisco literature config for a failover link for a one of two 5525s in a high-availability setup.

What exactly is this link used for? What traverses the link? 

Thank you.

Labels:
0 Helpful
21 Replies 21

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎01-21-2023 10:58 AM

All interfaces on both ASA are up. On both ASAs I can ping all interfaces except Default gateway

Gateway of last resort (! obfuscated !) is 7.7.7.1 to network 0.0.0.0

This symptom occurred after when i executed "failover active" on the currently active ASA.

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎01-21-2023 11:05 AM

@jmaxwellUSAF clear arp on the upstream switch that your next hop gateway is connected to.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎01-21-2023 11:22 AM

In short, I currently have Anyconnect VPN connectivity. I have confirmed access through the VPN to the enterprise internal LAN.

It is true that I just executed "failover active" from both devices.

Now the first symptom exists in which the VPN takes about 1 minute to join from the client.

The intended primary FW is listing as: FW/sec/act#
The intended secondary FW is listing as: FW/pri/stby#

What is the procedure to correctly set these ASAs to their proper active/standby setup? I expect it is to execute "failover active" on FW/sec/act . May you please confirm or advise?

Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎01-21-2023 11:27 AM

@jmaxwellUSAF the correct procedure to perform failover is, execute the no failover active command on the active unit or the failover active command is run on the standby unit.

What was the issue when there was no connectivity? It sounds like there is some other underlying issue.

0 Helpful

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎01-21-2023 12:07 PM

I successfully executed failover for the ASA HA setup. The Anyconnect "long join time" symptom is remediated.

This entire task is complete.

I am unsure why I briefly lost connectivity. I expect it has something to do with my confusing workstation NIC situation. Both my ethernet and wifi are active. Sometimes I'm connected to the VPN through WiFi, sometimes not. I get confused with the active network paths from my workstation.

Rob, clearly your help was invaluable here. Thank you, and please enjoy your weekend!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-21-2023 09:30 AM

 I will run lab and capture the traffic between two ASA FW HA, and share here. 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to MHM Cisco World

‎01-21-2023 09:41 AM

Thank you MHM. I am strongly suspecting this root cause was a human mistakenly disconnecting a monitored link. Unless new conclusions are suggested in the thread, you may cease your lab effort. Thank you sir.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card